@kirrosh/zond 0.26.0 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +59 -0
- package/README.md +22 -21
- package/bin/zond.mjs +23 -0
- package/package.json +13 -16
- package/scripts/npm/postinstall.mjs +76 -0
- package/src/CLAUDE.md +0 -112
- package/src/bun-types.d.ts +0 -5
- package/src/cli/argv.ts +0 -122
- package/src/cli/commands/add-api.ts +0 -146
- package/src/cli/commands/api/annotate/idempotency.ts +0 -59
- package/src/cli/commands/api/annotate/index.ts +0 -880
- package/src/cli/commands/api/annotate/lifecycle.ts +0 -74
- package/src/cli/commands/api/annotate/overlay.ts +0 -206
- package/src/cli/commands/api/annotate/pagination.ts +0 -64
- package/src/cli/commands/api/annotate/prompts.ts +0 -220
- package/src/cli/commands/api/annotate/readback.ts +0 -58
- package/src/cli/commands/api/annotate/resources.ts +0 -91
- package/src/cli/commands/api/annotate/seed-bodies.ts +0 -61
- package/src/cli/commands/audit.ts +0 -786
- package/src/cli/commands/catalog.ts +0 -97
- package/src/cli/commands/check.ts +0 -361
- package/src/cli/commands/checks.ts +0 -1072
- package/src/cli/commands/ci-init.ts +0 -223
- package/src/cli/commands/clean.ts +0 -212
- package/src/cli/commands/cleanup.ts +0 -236
- package/src/cli/commands/completions.ts +0 -192
- package/src/cli/commands/coverage.ts +0 -872
- package/src/cli/commands/db.ts +0 -611
- package/src/cli/commands/describe.ts +0 -120
- package/src/cli/commands/discover.ts +0 -1356
- package/src/cli/commands/doctor.ts +0 -661
- package/src/cli/commands/fixtures.ts +0 -402
- package/src/cli/commands/generate.ts +0 -577
- package/src/cli/commands/init/agents-md.ts +0 -61
- package/src/cli/commands/init/bootstrap.ts +0 -111
- package/src/cli/commands/init/index.ts +0 -244
- package/src/cli/commands/init/skills.ts +0 -141
- package/src/cli/commands/init/templates/agents.md +0 -86
- package/src/cli/commands/init/templates/markdown.d.ts +0 -4
- package/src/cli/commands/init/templates/skills/warm-up-target.md +0 -122
- package/src/cli/commands/init/templates/skills/zond-checks.md +0 -621
- package/src/cli/commands/init/templates/skills/zond-seed.md +0 -114
- package/src/cli/commands/init/templates/skills/zond-triage.md +0 -272
- package/src/cli/commands/init/templates/skills/zond.md +0 -861
- package/src/cli/commands/init/templates/zond-config.yml +0 -14
- package/src/cli/commands/prepare-fixtures.ts +0 -97
- package/src/cli/commands/probe/_seed-bodies.ts +0 -52
- package/src/cli/commands/probe/mass-assignment.ts +0 -594
- package/src/cli/commands/probe/security.ts +0 -537
- package/src/cli/commands/probe/static.ts +0 -255
- package/src/cli/commands/probe/webhooks.ts +0 -163
- package/src/cli/commands/probe.ts +0 -535
- package/src/cli/commands/reference.ts +0 -87
- package/src/cli/commands/refresh-api.ts +0 -227
- package/src/cli/commands/remove-api.ts +0 -150
- package/src/cli/commands/report-bundle.ts +0 -310
- package/src/cli/commands/report.ts +0 -241
- package/src/cli/commands/request.ts +0 -548
- package/src/cli/commands/run.ts +0 -1142
- package/src/cli/commands/schema-from-runs.ts +0 -128
- package/src/cli/commands/secrets.ts +0 -133
- package/src/cli/commands/session.ts +0 -244
- package/src/cli/commands/use.ts +0 -74
- package/src/cli/index.ts +0 -55
- package/src/cli/json-envelope.ts +0 -108
- package/src/cli/json-schemas.ts +0 -314
- package/src/cli/output.ts +0 -40
- package/src/cli/program.ts +0 -219
- package/src/cli/resolve.ts +0 -105
- package/src/cli/runtime.ts +0 -7
- package/src/cli/safe-live.ts +0 -24
- package/src/cli/status-filter.ts +0 -114
- package/src/cli/util/api-context.ts +0 -85
- package/src/cli/version.ts +0 -8
- package/src/core/audit/persist.ts +0 -183
- package/src/core/checks/budget.ts +0 -59
- package/src/core/checks/checks/_crud-helpers.ts +0 -133
- package/src/core/checks/checks/_negative_mutator.ts +0 -133
- package/src/core/checks/checks/_readback-helpers.ts +0 -133
- package/src/core/checks/checks/content_type_conformance.ts +0 -39
- package/src/core/checks/checks/cross_call_references.ts +0 -147
- package/src/core/checks/checks/cursor_boundary_fuzzing.ts +0 -219
- package/src/core/checks/checks/ensure_resource_availability.ts +0 -62
- package/src/core/checks/checks/idempotency_replay.ts +0 -242
- package/src/core/checks/checks/ignored_auth.ts +0 -254
- package/src/core/checks/checks/index.ts +0 -68
- package/src/core/checks/checks/lifecycle_transitions.ts +0 -416
- package/src/core/checks/checks/missing_required_header.ts +0 -40
- package/src/core/checks/checks/negative_data_rejection.ts +0 -148
- package/src/core/checks/checks/not_a_server_error.ts +0 -35
- package/src/core/checks/checks/open_cors_on_sensitive.ts +0 -160
- package/src/core/checks/checks/pagination_invariants.ts +0 -419
- package/src/core/checks/checks/positive_data_acceptance.ts +0 -33
- package/src/core/checks/checks/rate_limit_headers_absent.ts +0 -77
- package/src/core/checks/checks/response_headers_conformance.ts +0 -74
- package/src/core/checks/checks/response_schema_conformance.ts +0 -30
- package/src/core/checks/checks/status_code_conformance.ts +0 -132
- package/src/core/checks/checks/unsupported_method.ts +0 -63
- package/src/core/checks/checks/use_after_free.ts +0 -78
- package/src/core/checks/index.ts +0 -30
- package/src/core/checks/mode.ts +0 -82
- package/src/core/checks/recommended-action.ts +0 -68
- package/src/core/checks/registry.ts +0 -78
- package/src/core/checks/runner.ts +0 -1461
- package/src/core/checks/sarif.ts +0 -230
- package/src/core/checks/spec-findings.ts +0 -308
- package/src/core/checks/stateful.ts +0 -121
- package/src/core/checks/types.ts +0 -305
- package/src/core/checks/zond-extensions.ts +0 -73
- package/src/core/classifier/recommended-action.ts +0 -251
- package/src/core/context/current.ts +0 -51
- package/src/core/context/session.ts +0 -78
- package/src/core/coverage/loader.ts +0 -216
- package/src/core/coverage/reasons.ts +0 -300
- package/src/core/diagnostics/db-analysis.ts +0 -666
- package/src/core/diagnostics/failure-class.ts +0 -140
- package/src/core/diagnostics/failure-hints.ts +0 -112
- package/src/core/diagnostics/spec-pointer.ts +0 -99
- package/src/core/diagnostics/suggested-fixes.ts +0 -155
- package/src/core/exporter/case-study/index.ts +0 -270
- package/src/core/exporter/curl.ts +0 -40
- package/src/core/exporter/exporter.ts +0 -48
- package/src/core/exporter/html-report/escape.ts +0 -24
- package/src/core/exporter/html-report/index.ts +0 -479
- package/src/core/exporter/html-report/script.ts +0 -100
- package/src/core/exporter/html-report/styles.ts +0 -408
- package/src/core/generator/catalog-builder.ts +0 -179
- package/src/core/generator/chunker.ts +0 -78
- package/src/core/generator/coverage-phase.ts +0 -0
- package/src/core/generator/coverage-scanner.ts +0 -87
- package/src/core/generator/data-factory.ts +0 -759
- package/src/core/generator/describe.ts +0 -302
- package/src/core/generator/endpoint-warnings.ts +0 -52
- package/src/core/generator/fixtures-builder.ts +0 -332
- package/src/core/generator/index.ts +0 -14
- package/src/core/generator/openapi-reader.ts +0 -297
- package/src/core/generator/path-param-disambig.ts +0 -140
- package/src/core/generator/resources-builder.ts +0 -898
- package/src/core/generator/schema-utils.ts +0 -112
- package/src/core/generator/serializer.ts +0 -343
- package/src/core/generator/suite-generator.ts +0 -1301
- package/src/core/generator/types.ts +0 -63
- package/src/core/identity/identity-file.ts +0 -0
- package/src/core/lint/affects.ts +0 -28
- package/src/core/lint/config.ts +0 -96
- package/src/core/lint/format.ts +0 -42
- package/src/core/lint/index.ts +0 -94
- package/src/core/lint/reporter.ts +0 -128
- package/src/core/lint/rules/consistency.ts +0 -158
- package/src/core/lint/rules/heuristics.ts +0 -97
- package/src/core/lint/rules/strictness.ts +0 -109
- package/src/core/lint/types.ts +0 -96
- package/src/core/lint/walker.ts +0 -248
- package/src/core/meta/meta-store.ts +0 -11
- package/src/core/output/README.md +0 -73
- package/src/core/output/index.ts +0 -13
- package/src/core/output/run.ts +0 -91
- package/src/core/output/types.ts +0 -122
- package/src/core/parser/dynamic-values.ts +0 -160
- package/src/core/parser/env-interpolation.ts +0 -104
- package/src/core/parser/filter.ts +0 -97
- package/src/core/parser/schema.ts +0 -359
- package/src/core/parser/types.ts +0 -117
- package/src/core/parser/variables.ts +0 -0
- package/src/core/parser/yaml-parser.ts +0 -181
- package/src/core/probe/bootstrap.ts +0 -34
- package/src/core/probe/dry-run-envelope.ts +0 -61
- package/src/core/probe/mass-assignment/classify.ts +0 -175
- package/src/core/probe/mass-assignment/cleanup.ts +0 -52
- package/src/core/probe/mass-assignment/digest.ts +0 -114
- package/src/core/probe/mass-assignment/orchestrator.ts +0 -459
- package/src/core/probe/mass-assignment/regression.ts +0 -141
- package/src/core/probe/mass-assignment/suspects.ts +0 -92
- package/src/core/probe/mass-assignment/types.ts +0 -135
- package/src/core/probe/mass-assignment-probe-class.ts +0 -198
- package/src/core/probe/mass-assignment-probe.ts +0 -27
- package/src/core/probe/mass-assignment-template.ts +0 -240
- package/src/core/probe/method-probe.ts +0 -164
- package/src/core/probe/method-shared.ts +0 -69
- package/src/core/probe/negative-probe.ts +0 -691
- package/src/core/probe/orphan-tracker.ts +0 -188
- package/src/core/probe/path-discovery.ts +0 -439
- package/src/core/probe/probe-harness.ts +0 -119
- package/src/core/probe/registry.ts +0 -89
- package/src/core/probe/runner.ts +0 -136
- package/src/core/probe/security/baseline.ts +0 -174
- package/src/core/probe/security/classify.ts +0 -341
- package/src/core/probe/security/cleanup.ts +0 -125
- package/src/core/probe/security/detectors.ts +0 -71
- package/src/core/probe/security/digest.ts +0 -104
- package/src/core/probe/security/orchestrator.ts +0 -398
- package/src/core/probe/security/regression.ts +0 -103
- package/src/core/probe/security/types.ts +0 -151
- package/src/core/probe/security-probe-class.ts +0 -207
- package/src/core/probe/security-probe.ts +0 -32
- package/src/core/probe/shared.ts +0 -531
- package/src/core/probe/static-probe-class.ts +0 -125
- package/src/core/probe/types.ts +0 -165
- package/src/core/probe/verdict-aggregator.ts +0 -33
- package/src/core/probe/webhooks-probe.ts +0 -282
- package/src/core/reporter/console.ts +0 -240
- package/src/core/reporter/index.ts +0 -22
- package/src/core/reporter/json.ts +0 -22
- package/src/core/reporter/junit.ts +0 -93
- package/src/core/reporter/ndjson.ts +0 -37
- package/src/core/reporter/types.ts +0 -15
- package/src/core/runner/assertions.ts +0 -383
- package/src/core/runner/async-pool.ts +0 -108
- package/src/core/runner/auth-path.ts +0 -8
- package/src/core/runner/ci-context.ts +0 -72
- package/src/core/runner/executor.ts +0 -652
- package/src/core/runner/expr-eval.ts +0 -41
- package/src/core/runner/form-encode.ts +0 -41
- package/src/core/runner/http-client.ts +0 -224
- package/src/core/runner/learn-drift.ts +0 -293
- package/src/core/runner/preflight-vars.ts +0 -153
- package/src/core/runner/progress-tracker.ts +0 -73
- package/src/core/runner/rate-limiter.ts +0 -185
- package/src/core/runner/run-kind.ts +0 -45
- package/src/core/runner/schema-validator.ts +0 -308
- package/src/core/runner/send-request.ts +0 -232
- package/src/core/runner/transforms.ts +0 -65
- package/src/core/runner/types.ts +0 -94
- package/src/core/secrets/registry.ts +0 -164
- package/src/core/secrets/secrets-file.ts +0 -115
- package/src/core/selectors/operation-filter.ts +0 -144
- package/src/core/setup-api.ts +0 -590
- package/src/core/severity/category.ts +0 -94
- package/src/core/severity/index.ts +0 -58
- package/src/core/spec/infer-schema.ts +0 -102
- package/src/core/spec/layers.ts +0 -154
- package/src/core/spec/merge-specs.ts +0 -156
- package/src/core/spec/schema-from-runs.ts +0 -117
- package/src/core/spec/schema-overlay.ts +0 -130
- package/src/core/util/ajv.ts +0 -13
- package/src/core/util/format-eta.ts +0 -21
- package/src/core/util/headers.ts +0 -9
- package/src/core/util/url.ts +0 -24
- package/src/core/utils.ts +0 -13
- package/src/core/workspace/config.ts +0 -129
- package/src/core/workspace/fixture-gap-report.ts +0 -84
- package/src/core/workspace/fixture-gaps.ts +0 -71
- package/src/core/workspace/manifest.ts +0 -283
- package/src/core/workspace/output-rotation.ts +0 -62
- package/src/core/workspace/root.ts +0 -96
- package/src/core/workspace/triage-path.ts +0 -87
- package/src/db/lint-runs.ts +0 -47
- package/src/db/migrate.ts +0 -128
- package/src/db/migrations/0001_run_kind.sql +0 -25
- package/src/db/migrations/0002_run_kind_request.sql +0 -59
- package/src/db/migrations/sql.d.ts +0 -4
- package/src/db/queries/collections.ts +0 -133
- package/src/db/queries/coverage.ts +0 -9
- package/src/db/queries/dashboard.ts +0 -59
- package/src/db/queries/results.ts +0 -216
- package/src/db/queries/runs.ts +0 -289
- package/src/db/queries/sessions.ts +0 -42
- package/src/db/queries/settings.ts +0 -28
- package/src/db/queries/types.ts +0 -172
- package/src/db/queries.ts +0 -75
- package/src/db/schema.ts +0 -298
|
@@ -1,140 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* TASK-101: failure classification — definitely_bug / likely_bug / quirk / env_issue.
|
|
3
|
-
*
|
|
4
|
-
* Goal: бэкендер за секунду видит «реально баг» vs «quirk зонда / probe
|
|
5
|
-
* фолс-позитив». Чисто read-only классификация: не меняет статус step,
|
|
6
|
-
* не влияет на pass/fail. Только tag-овая аналитика.
|
|
7
|
-
*/
|
|
8
|
-
|
|
9
|
-
import type { StepResult, AssertionResult } from "../runner/types.ts";
|
|
10
|
-
import type { SourceMetadata } from "../parser/types.ts";
|
|
11
|
-
|
|
12
|
-
export type FailureClass =
|
|
13
|
-
| "definitely_bug"
|
|
14
|
-
| "likely_bug"
|
|
15
|
-
| "quirk"
|
|
16
|
-
| "env_issue"
|
|
17
|
-
/** Step was skipped because an upstream step failed to produce a required
|
|
18
|
-
* capture (or produced a tainted one). Not a failure on its own — render
|
|
19
|
-
* collapsed under the root failure to avoid drowning the user. */
|
|
20
|
-
| "cascade";
|
|
21
|
-
|
|
22
|
-
export interface FailureClassification {
|
|
23
|
-
failure_class: FailureClass;
|
|
24
|
-
failure_class_reason: string;
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
function failedAssertionsOf(result: StepResult): AssertionResult[] {
|
|
28
|
-
return result.assertions.filter((a) => !a.passed);
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
function ruleStartsWith(a: AssertionResult, prefix: string): boolean {
|
|
32
|
-
return typeof a.rule === "string" && a.rule.startsWith(prefix);
|
|
33
|
-
}
|
|
34
|
-
|
|
35
|
-
function expectedStatusList(a: AssertionResult): number[] | null {
|
|
36
|
-
if (Array.isArray(a.expected)) {
|
|
37
|
-
const arr = a.expected.filter((v): v is number => typeof v === "number");
|
|
38
|
-
return arr.length > 0 ? arr : null;
|
|
39
|
-
}
|
|
40
|
-
return typeof a.expected === "number" ? [a.expected] : null;
|
|
41
|
-
}
|
|
42
|
-
|
|
43
|
-
/**
|
|
44
|
-
* Classify a failed step. Returns `null` for pass/skip/unclassifiable failures —
|
|
45
|
-
* UI renders those as "unclassified" rather than crashing.
|
|
46
|
-
*/
|
|
47
|
-
export function classifyFailure(result: StepResult): FailureClassification | null {
|
|
48
|
-
if (result.status === "pass" || result.status === "skip") return null;
|
|
49
|
-
|
|
50
|
-
// Network/runtime error before any HTTP response → env-side
|
|
51
|
-
if (result.status === "error") {
|
|
52
|
-
return {
|
|
53
|
-
failure_class: "env_issue",
|
|
54
|
-
failure_class_reason: result.error ?? "request failed before producing a response",
|
|
55
|
-
};
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
const respStatus = result.response?.status;
|
|
59
|
-
const provenance: SourceMetadata | null | undefined = result.provenance;
|
|
60
|
-
const generator = typeof provenance?.generator === "string" ? provenance.generator : undefined;
|
|
61
|
-
const failed = failedAssertionsOf(result);
|
|
62
|
-
|
|
63
|
-
// 1. Backend 5xx — always a backend bug regardless of test intent.
|
|
64
|
-
if (typeof respStatus === "number" && respStatus >= 500) {
|
|
65
|
-
return {
|
|
66
|
-
failure_class: "definitely_bug",
|
|
67
|
-
failure_class_reason: `API returned ${respStatus} — server-side error`,
|
|
68
|
-
};
|
|
69
|
-
}
|
|
70
|
-
|
|
71
|
-
// 2. Response did not match its OpenAPI schema — spec guarantees X, server returned ≠ X.
|
|
72
|
-
const schemaFail = failed.find((a) => ruleStartsWith(a, "schema."));
|
|
73
|
-
if (schemaFail) {
|
|
74
|
-
return {
|
|
75
|
-
failure_class: "definitely_bug",
|
|
76
|
-
failure_class_reason: `Response violates OpenAPI schema at ${schemaFail.field}`,
|
|
77
|
-
};
|
|
78
|
-
}
|
|
79
|
-
|
|
80
|
-
// 3. Mass-assignment probe: extras must not apply. A failed not_equals
|
|
81
|
-
// assertion on this generator means the sentinel value leaked through.
|
|
82
|
-
if (generator === "mass-assignment-probe") {
|
|
83
|
-
const extrasLeak = failed.find(
|
|
84
|
-
(a) => ruleStartsWith(a, "not_equals") || ruleStartsWith(a, "set_equals"),
|
|
85
|
-
);
|
|
86
|
-
if (extrasLeak) {
|
|
87
|
-
return {
|
|
88
|
-
failure_class: "definitely_bug",
|
|
89
|
-
failure_class_reason: `Mass-assignment: client-supplied extras were accepted (${extrasLeak.field})`,
|
|
90
|
-
};
|
|
91
|
-
}
|
|
92
|
-
}
|
|
93
|
-
|
|
94
|
-
// 4. ARV-236: 401/403 on a step that expected success → env_issue
|
|
95
|
-
// ("token_scope"). Surfaces narrowly-scoped tokens (Resend free plan,
|
|
96
|
-
// GitHub PAT without `repo`, Stripe restricted key, etc.) so coverage
|
|
97
|
-
// and triage don't tag them as fail. Only fires when the failing
|
|
98
|
-
// assertion is on `status` and the expected status was 2xx — a real
|
|
99
|
-
// "expect 403" test deliberately checking auth still classifies normally.
|
|
100
|
-
if (typeof respStatus === "number" && (respStatus === 401 || respStatus === 403)) {
|
|
101
|
-
const statusFail = failed.find((a) => a.field === "status");
|
|
102
|
-
if (statusFail) {
|
|
103
|
-
const expected = expectedStatusList(statusFail);
|
|
104
|
-
const allExpected2xx = expected?.every((s) => s >= 200 && s < 300) ?? false;
|
|
105
|
-
if (allExpected2xx) {
|
|
106
|
-
return {
|
|
107
|
-
failure_class: "env_issue",
|
|
108
|
-
failure_class_reason: `token_scope: API returned ${respStatus} where the test expected ${expected!.join("/")} — token lacks scope or plan for this endpoint`,
|
|
109
|
-
};
|
|
110
|
-
}
|
|
111
|
-
}
|
|
112
|
-
}
|
|
113
|
-
|
|
114
|
-
// 5. Negative-probe family — distinguish "API accepted bad input" (likely_bug)
|
|
115
|
-
// from "API rejected with a different 4xx" (quirk).
|
|
116
|
-
if (generator === "negative-probe" || generator === "method-probe") {
|
|
117
|
-
const statusFail = failed.find((a) => a.field === "status");
|
|
118
|
-
if (statusFail && typeof respStatus === "number") {
|
|
119
|
-
const expected = expectedStatusList(statusFail);
|
|
120
|
-
const allExpected4xx = expected?.every((s) => s >= 400 && s < 500) ?? false;
|
|
121
|
-
if (allExpected4xx) {
|
|
122
|
-
if (respStatus >= 200 && respStatus < 300) {
|
|
123
|
-
return {
|
|
124
|
-
failure_class: "likely_bug",
|
|
125
|
-
failure_class_reason: `Negative probe expected 4xx, got ${respStatus} — API accepts invalid input`,
|
|
126
|
-
};
|
|
127
|
-
}
|
|
128
|
-
if (respStatus >= 400 && respStatus < 500) {
|
|
129
|
-
return {
|
|
130
|
-
failure_class: "quirk",
|
|
131
|
-
failure_class_reason: `Negative probe expected ${expected!.join("/")}, got ${respStatus} — different 4xx code`,
|
|
132
|
-
};
|
|
133
|
-
}
|
|
134
|
-
}
|
|
135
|
-
}
|
|
136
|
-
}
|
|
137
|
-
|
|
138
|
-
// Default: leave unclassified. UI / CLI render as "unclassified".
|
|
139
|
-
return null;
|
|
140
|
-
}
|
|
@@ -1,112 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Failure classification → closed-enum `recommended_action`.
|
|
3
|
-
* ARV-338: prose hints (statusHint/envHint/softDeleteHint/schemaHint,
|
|
4
|
-
* env_issue clustering, auth_hint, agent_directive) removed — the agent
|
|
5
|
-
* triages by enum + raw evidence, not by heuristic guess-text.
|
|
6
|
-
*/
|
|
7
|
-
|
|
8
|
-
import { classify } from "../classifier/recommended-action.ts";
|
|
9
|
-
|
|
10
|
-
export function classifyFailure(status: string, responseStatus: number | null): "api_error" | "assertion_failed" | "network_error" {
|
|
11
|
-
if (status === "error" && (responseStatus === null || responseStatus < 500)) return "network_error";
|
|
12
|
-
if (responseStatus !== null && responseStatus >= 500) return "api_error";
|
|
13
|
-
return "assertion_failed";
|
|
14
|
-
}
|
|
15
|
-
|
|
16
|
-
export type RecommendedAction =
|
|
17
|
-
| "report_backend_bug"
|
|
18
|
-
| "fix_auth_config"
|
|
19
|
-
| "fix_test_logic"
|
|
20
|
-
| "fix_network_config"
|
|
21
|
-
| "fix_env"
|
|
22
|
-
/** Fix the OpenAPI spec — emitted by lint-spec.Issue (TASK-294) and
|
|
23
|
-
* by `status_code_conformance` / `*_conformance` checks (ARV-11). */
|
|
24
|
-
| "fix_spec"
|
|
25
|
-
/** Add or correct a fixture in .env.yaml — emitted by discover for
|
|
26
|
-
* miss-* states (TASK-294). */
|
|
27
|
-
| "fix_fixture"
|
|
28
|
-
/** ARV-42 — generator-emitted suite produced a body the API rejected
|
|
29
|
-
* (4xx with validation hint). Editing the YAML is wrong: the next
|
|
30
|
-
* `zond generate` would clobber it. Re-run generate (or refine the
|
|
31
|
-
* spec/.api-resources hints) instead. */
|
|
32
|
-
| "regenerate_suite"
|
|
33
|
-
/** ARV-11 — server accepted an invalid request body. Backend should
|
|
34
|
-
* reject earlier; the test isn't wrong. */
|
|
35
|
-
| "tighten_validation"
|
|
36
|
-
/** ARV-11 — server didn't enforce a header marked `required: true`
|
|
37
|
-
* in the spec. Either enforce it, or drop `required` in the spec. */
|
|
38
|
-
| "add_required_header"
|
|
39
|
-
/** ARV-11 — known limitation that the team has accepted. Agents
|
|
40
|
-
* should not retry, file a bug, or include in dashboards. */
|
|
41
|
-
| "wontfix_known_limitation";
|
|
42
|
-
|
|
43
|
-
export function recommendedAction(
|
|
44
|
-
failureType: "api_error" | "assertion_failed" | "network_error",
|
|
45
|
-
responseStatus: number | null,
|
|
46
|
-
): RecommendedAction {
|
|
47
|
-
// ARV-56: delegate to the single classifier.
|
|
48
|
-
const action = classify({
|
|
49
|
-
finding_class: failureType === "api_error" ? "test:api_error" :
|
|
50
|
-
failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
|
|
51
|
-
status: responseStatus,
|
|
52
|
-
});
|
|
53
|
-
// The three failure_type classes are total in the classifier — a missing
|
|
54
|
-
// branch means a future refactor stripped one; surface loudly.
|
|
55
|
-
if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
|
|
56
|
-
return action;
|
|
57
|
-
}
|
|
58
|
-
|
|
59
|
-
/**
|
|
60
|
-
* ARV-42: extended recommender that knows whether the failing test was
|
|
61
|
-
* emitted by `zond generate`. For generated suites, "fix_test_logic" is
|
|
62
|
-
* actively misleading — the generated YAML carries the header
|
|
63
|
-
* "⚠️ Edits will be overwritten on regenerate" and the next `zond audit`
|
|
64
|
-
* really does clobber manual edits. Branch into the actually-actionable
|
|
65
|
-
* remediation instead.
|
|
66
|
-
*
|
|
67
|
-
* - 4xx (400/422) → regenerate_suite: the body the generator emitted
|
|
68
|
-
* didn't pass validation; either re-run generate (so newer heuristics
|
|
69
|
-
* apply, e.g. ARV-38 default-string) or tighten .api-resources hints.
|
|
70
|
-
* - 404 → fix_fixture: a path-param resolved to an empty / stale id
|
|
71
|
-
* in .env.yaml; `prepare-fixtures --seed` is the correct remedy.
|
|
72
|
-
* - everything else → falls back to recommendedAction (auth → 401/403,
|
|
73
|
-
* api_error → 5xx, etc.).
|
|
74
|
-
*
|
|
75
|
-
* `isGenerated` is the heuristic from db-analysis: provenance.type
|
|
76
|
-
* "openapi-generated" OR suite_file under apis/<api>/tests/.
|
|
77
|
-
*/
|
|
78
|
-
export function recommendedActionForGenerated(
|
|
79
|
-
failureType: "api_error" | "assertion_failed" | "network_error",
|
|
80
|
-
responseStatus: number | null,
|
|
81
|
-
isGenerated: boolean,
|
|
82
|
-
schemaViolation = false,
|
|
83
|
-
): RecommendedAction {
|
|
84
|
-
// ARV-56: delegate to classifier. `isGenerated` is encoded via a
|
|
85
|
-
// synthetic suite_path so the same logic flows through classify().
|
|
86
|
-
// ARV-103 (F8): `schemaViolation` propagates the assertion-kind flag —
|
|
87
|
-
// when true, the classifier's "treat schema bugs like 5xx" branch wins
|
|
88
|
-
// over the generator's regenerate_suite default.
|
|
89
|
-
const action = classify({
|
|
90
|
-
finding_class: failureType === "api_error" ? "test:api_error" :
|
|
91
|
-
failureType === "network_error" ? "test:network_error" : "test:assertion_failed",
|
|
92
|
-
status: responseStatus,
|
|
93
|
-
...(isGenerated ? { suite_path: "apis/_/tests/_.yaml" } : {}),
|
|
94
|
-
...(schemaViolation ? { schema_violation: true } : {}),
|
|
95
|
-
});
|
|
96
|
-
if (!action) throw new Error(`classifier returned no action for failure_type=${failureType} status=${responseStatus}`);
|
|
97
|
-
return action;
|
|
98
|
-
}
|
|
99
|
-
|
|
100
|
-
/** ARV-42: classify a failing result row as generator-emitted. The two
|
|
101
|
-
* signals are independent — provenance is missing on older runs, while
|
|
102
|
-
* suite_file disambiguates against ad-hoc YAMLs the user dropped into
|
|
103
|
-
* apis/<api>/tests/ themselves (rare but supported). */
|
|
104
|
-
export function isGeneratedTest(
|
|
105
|
-
provenance: { type?: string; generator?: string } | null | undefined,
|
|
106
|
-
suite_file: string | null | undefined,
|
|
107
|
-
): boolean {
|
|
108
|
-
if (provenance?.type === "openapi-generated") return true;
|
|
109
|
-
if (provenance?.generator && provenance.generator.toLowerCase().includes("zond")) return true;
|
|
110
|
-
if (typeof suite_file === "string" && /(^|\/)apis\/[^/]+\/tests\//.test(suite_file)) return true;
|
|
111
|
-
return false;
|
|
112
|
-
}
|
|
@@ -1,99 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* TASK-102: build a JSON Pointer (RFC 6901) into the OpenAPI document for the
|
|
3
|
-
* response branch a step exercises, plus a small excerpt of the schema at that
|
|
4
|
-
* pointer. The excerpt is captured at run time and frozen into the DB so that
|
|
5
|
-
* later spec edits can't rewrite history.
|
|
6
|
-
*
|
|
7
|
-
* Inputs come from {@link SourceMetadata} populated by TASK-100:
|
|
8
|
-
* - `endpoint` e.g. "POST /webhooks"
|
|
9
|
-
* - `response_branch` e.g. "422" or "400|422" (first wins for the pointer)
|
|
10
|
-
*/
|
|
11
|
-
|
|
12
|
-
import type { SourceMetadata } from "../parser/types.ts";
|
|
13
|
-
|
|
14
|
-
export interface SpecPointer {
|
|
15
|
-
pointer: string;
|
|
16
|
-
excerpt: string;
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
const EXCERPT_MAX_BYTES = 500;
|
|
20
|
-
|
|
21
|
-
function escapeJsonPointerSegment(s: string): string {
|
|
22
|
-
return s.replace(/~/g, "~0").replace(/\//g, "~1");
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
function parseEndpoint(endpoint: string): { method: string; path: string } | null {
|
|
26
|
-
const m = endpoint.match(/^([A-Z]+)\s+(\/.*)$/);
|
|
27
|
-
if (!m) return null;
|
|
28
|
-
return { method: m[1]!.toLowerCase(), path: m[2]! };
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
function pickPrimaryStatus(responseBranch: string | undefined): string | null {
|
|
32
|
-
if (!responseBranch) return null;
|
|
33
|
-
const first = responseBranch.split(/[|,\s]/).find((s) => /^\d{3}$/.test(s));
|
|
34
|
-
return first ?? null;
|
|
35
|
-
}
|
|
36
|
-
|
|
37
|
-
function trimExcerpt(json: string): string {
|
|
38
|
-
if (json.length <= EXCERPT_MAX_BYTES) return json;
|
|
39
|
-
return json.slice(0, EXCERPT_MAX_BYTES) + "\n…[truncated]";
|
|
40
|
-
}
|
|
41
|
-
|
|
42
|
-
/**
|
|
43
|
-
* Resolve the response operation in the OpenAPI document and produce a pointer
|
|
44
|
-
* + frozen excerpt. Returns `null` if any link in the chain is missing — caller
|
|
45
|
-
* persists `null` rather than crashing.
|
|
46
|
-
*/
|
|
47
|
-
export function buildSpecPointer(
|
|
48
|
-
source: SourceMetadata | null | undefined,
|
|
49
|
-
openApiDoc: unknown,
|
|
50
|
-
): SpecPointer | null {
|
|
51
|
-
if (!source || !openApiDoc || typeof openApiDoc !== "object") return null;
|
|
52
|
-
if (typeof source.endpoint !== "string") return null;
|
|
53
|
-
|
|
54
|
-
const parsed = parseEndpoint(source.endpoint);
|
|
55
|
-
if (!parsed) return null;
|
|
56
|
-
const status = pickPrimaryStatus(source.response_branch ?? undefined);
|
|
57
|
-
if (!status) return null;
|
|
58
|
-
|
|
59
|
-
const doc = openApiDoc as Record<string, unknown>;
|
|
60
|
-
const paths = doc.paths as Record<string, unknown> | undefined;
|
|
61
|
-
if (!paths || typeof paths !== "object") return null;
|
|
62
|
-
|
|
63
|
-
const pathItem = paths[parsed.path] as Record<string, unknown> | undefined;
|
|
64
|
-
if (!pathItem || typeof pathItem !== "object") return null;
|
|
65
|
-
|
|
66
|
-
const operation = pathItem[parsed.method] as Record<string, unknown> | undefined;
|
|
67
|
-
if (!operation || typeof operation !== "object") return null;
|
|
68
|
-
|
|
69
|
-
const responses = operation.responses as Record<string, unknown> | undefined;
|
|
70
|
-
if (!responses || typeof responses !== "object") return null;
|
|
71
|
-
|
|
72
|
-
const response = (responses[status] ?? responses.default) as Record<string, unknown> | undefined;
|
|
73
|
-
if (!response || typeof response !== "object") return null;
|
|
74
|
-
|
|
75
|
-
const escapedPath = escapeJsonPointerSegment(parsed.path);
|
|
76
|
-
let pointer = `#/paths/${escapedPath}/${parsed.method}/responses/${status}`;
|
|
77
|
-
let excerptValue: unknown = response;
|
|
78
|
-
|
|
79
|
-
// Drill into application/json schema when available — that's the most useful
|
|
80
|
-
// surface for UI rendering ("backend promised X, returned Y").
|
|
81
|
-
const content = response.content as Record<string, unknown> | undefined;
|
|
82
|
-
if (content && typeof content === "object") {
|
|
83
|
-
const jsonMedia = (content["application/json"] ?? content["application/json; charset=utf-8"]) as
|
|
84
|
-
| Record<string, unknown>
|
|
85
|
-
| undefined;
|
|
86
|
-
if (jsonMedia && typeof jsonMedia === "object" && "schema" in jsonMedia) {
|
|
87
|
-
pointer += "/content/application~1json/schema";
|
|
88
|
-
excerptValue = jsonMedia.schema;
|
|
89
|
-
}
|
|
90
|
-
}
|
|
91
|
-
|
|
92
|
-
let excerpt: string;
|
|
93
|
-
try {
|
|
94
|
-
excerpt = JSON.stringify(excerptValue, null, 2);
|
|
95
|
-
} catch {
|
|
96
|
-
excerpt = String(excerptValue);
|
|
97
|
-
}
|
|
98
|
-
return { pointer, excerpt: trimExcerpt(excerpt) };
|
|
99
|
-
}
|
|
@@ -1,155 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* TASK-29: actionable "Suggested fixes" surfaces for `zond db diagnose`.
|
|
3
|
-
*
|
|
4
|
-
* The base diagnose envelope already classifies failures and wires
|
|
5
|
-
* recommended_action. This layer adds two concrete, fixable signals that
|
|
6
|
-
* the LLM agent can act on without a second round-trip:
|
|
7
|
-
*
|
|
8
|
-
* 1. Placeholder path-params on 404s — when a 404 hits a URL that still
|
|
9
|
-
* contains literal example/placeholder values (`example`, all-zeros
|
|
10
|
-
* UUID, `your-…-here`, `00000000-…`, …), surface the exact path
|
|
11
|
-
* segment that's broken plus the variable name we'd expect (best-effort
|
|
12
|
-
* from the segment shape).
|
|
13
|
-
*
|
|
14
|
-
* 2. Untilled .env.yaml keys — read the API's .env.yaml and flag values
|
|
15
|
-
* that are empty, `<TODO>`, `example`, `null`, or look like
|
|
16
|
-
* placeholders (`replace-me`, `your-...`). These block CRUD sweeps
|
|
17
|
-
* silently — without them, the agent can't tell apart "value missing"
|
|
18
|
-
* from "value present and wrong".
|
|
19
|
-
*/
|
|
20
|
-
import { existsSync, readFileSync } from "node:fs";
|
|
21
|
-
import { parse as parseYaml } from "yaml";
|
|
22
|
-
|
|
23
|
-
export type SuggestedFixKind =
|
|
24
|
-
| "placeholder_path_param"
|
|
25
|
-
| "unfilled_env_key";
|
|
26
|
-
|
|
27
|
-
export interface SuggestedFix {
|
|
28
|
-
kind: SuggestedFixKind;
|
|
29
|
-
/** When `kind=unfilled_env_key`: the key name. When `kind=placeholder_path_param`:
|
|
30
|
-
* the path segment that looks like a placeholder. */
|
|
31
|
-
key: string;
|
|
32
|
-
message: string;
|
|
33
|
-
/** File path the user should edit (usually the API's .env.yaml). */
|
|
34
|
-
source?: string;
|
|
35
|
-
/** Optional one-line example of what to put there. */
|
|
36
|
-
example?: string;
|
|
37
|
-
}
|
|
38
|
-
|
|
39
|
-
const PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
|
|
40
|
-
{ re: /^example$/i, reason: "literal `example`" },
|
|
41
|
-
{ re: /^placeholder$/i, reason: "literal `placeholder`" },
|
|
42
|
-
{ re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
|
|
43
|
-
{ re: /^00000000-0000-0000-0000-0+(?:beef|dead|cafe|f00d|0+)$/i, reason: "all-zero / sentinel UUID" },
|
|
44
|
-
{ re: /^0+$/, reason: "all-zero numeric id" },
|
|
45
|
-
{ re: /^replace-me$/i, reason: "`replace-me` placeholder" },
|
|
46
|
-
];
|
|
47
|
-
|
|
48
|
-
const ENV_PLACEHOLDER_PATTERNS: Array<{ re: RegExp; reason: string }> = [
|
|
49
|
-
{ re: /^<.*>$/, reason: "TODO / angle-bracket placeholder" },
|
|
50
|
-
{ re: /^example$/i, reason: "literal `example`" },
|
|
51
|
-
{ re: /^placeholder$/i, reason: "literal `placeholder`" },
|
|
52
|
-
{ re: /^your-[\w-]+-here$/i, reason: "`your-…-here` placeholder" },
|
|
53
|
-
{ re: /^replace-?me$/i, reason: "`replace-me` placeholder" },
|
|
54
|
-
{ re: /^<TODO>$/i, reason: "explicit TODO" },
|
|
55
|
-
];
|
|
56
|
-
|
|
57
|
-
/** Identify path segments that look like placeholders. Used on 404 URLs. */
|
|
58
|
-
export function detectPlaceholderSegments(url: string | null): Array<{ segment: string; reason: string }> {
|
|
59
|
-
if (!url) return [];
|
|
60
|
-
let pathname: string;
|
|
61
|
-
try {
|
|
62
|
-
pathname = url.startsWith("http") ? new URL(url).pathname : url.split("?")[0]!;
|
|
63
|
-
} catch {
|
|
64
|
-
pathname = url;
|
|
65
|
-
}
|
|
66
|
-
const out: Array<{ segment: string; reason: string }> = [];
|
|
67
|
-
for (const seg of pathname.split("/").filter(Boolean)) {
|
|
68
|
-
for (const { re, reason } of PLACEHOLDER_PATTERNS) {
|
|
69
|
-
if (re.test(seg)) {
|
|
70
|
-
out.push({ segment: seg, reason });
|
|
71
|
-
break;
|
|
72
|
-
}
|
|
73
|
-
}
|
|
74
|
-
}
|
|
75
|
-
return out;
|
|
76
|
-
}
|
|
77
|
-
|
|
78
|
-
/** Read .env.yaml and return keys whose value is empty/null/placeholder-shaped. */
|
|
79
|
-
export function findUnfilledEnvKeys(envFilePath: string | undefined): SuggestedFix[] {
|
|
80
|
-
if (!envFilePath || !existsSync(envFilePath)) return [];
|
|
81
|
-
let parsed: unknown;
|
|
82
|
-
try {
|
|
83
|
-
parsed = parseYaml(readFileSync(envFilePath, "utf-8"));
|
|
84
|
-
} catch {
|
|
85
|
-
return [];
|
|
86
|
-
}
|
|
87
|
-
if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return [];
|
|
88
|
-
|
|
89
|
-
const out: SuggestedFix[] = [];
|
|
90
|
-
for (const [key, val] of Object.entries(parsed as Record<string, unknown>)) {
|
|
91
|
-
const reason = classifyEnvValue(val);
|
|
92
|
-
if (reason) {
|
|
93
|
-
out.push({
|
|
94
|
-
kind: "unfilled_env_key",
|
|
95
|
-
key,
|
|
96
|
-
message: `\`${key}\` in ${envFilePath} is unfilled (${reason}). Set it to a real value before re-running.`,
|
|
97
|
-
source: envFilePath,
|
|
98
|
-
});
|
|
99
|
-
}
|
|
100
|
-
}
|
|
101
|
-
return out;
|
|
102
|
-
}
|
|
103
|
-
|
|
104
|
-
function classifyEnvValue(val: unknown): string | null {
|
|
105
|
-
if (val === null || val === undefined) return "null / missing";
|
|
106
|
-
if (typeof val === "string") {
|
|
107
|
-
const trimmed = val.trim();
|
|
108
|
-
if (trimmed === "") return "empty string";
|
|
109
|
-
for (const { re, reason } of ENV_PLACEHOLDER_PATTERNS) {
|
|
110
|
-
if (re.test(trimmed)) return reason;
|
|
111
|
-
}
|
|
112
|
-
}
|
|
113
|
-
return null;
|
|
114
|
-
}
|
|
115
|
-
|
|
116
|
-
export interface BuildSuggestedFixesInput {
|
|
117
|
-
failures: Array<{
|
|
118
|
-
response_status: number | null;
|
|
119
|
-
request_url: string | null;
|
|
120
|
-
suite_name: string;
|
|
121
|
-
test_name: string;
|
|
122
|
-
}>;
|
|
123
|
-
envFilePath?: string;
|
|
124
|
-
}
|
|
125
|
-
|
|
126
|
-
/**
|
|
127
|
-
* Combine placeholder-detection across all 404 failures + env-yaml audit
|
|
128
|
-
* into a single deduplicated list of fixes the agent should apply before
|
|
129
|
-
* re-running.
|
|
130
|
-
*/
|
|
131
|
-
export function buildSuggestedFixes(input: BuildSuggestedFixesInput): SuggestedFix[] {
|
|
132
|
-
const fixes: SuggestedFix[] = [];
|
|
133
|
-
const seenSegments = new Set<string>();
|
|
134
|
-
|
|
135
|
-
for (const f of input.failures) {
|
|
136
|
-
if (f.response_status !== 404) continue;
|
|
137
|
-
for (const ph of detectPlaceholderSegments(f.request_url)) {
|
|
138
|
-
const dedupeKey = `seg:${ph.segment}`;
|
|
139
|
-
if (seenSegments.has(dedupeKey)) continue;
|
|
140
|
-
seenSegments.add(dedupeKey);
|
|
141
|
-
fixes.push({
|
|
142
|
-
kind: "placeholder_path_param",
|
|
143
|
-
key: ph.segment,
|
|
144
|
-
message:
|
|
145
|
-
`404 on \`${f.request_url}\` — path segment \`${ph.segment}\` is a ${ph.reason}. ` +
|
|
146
|
-
`Replace with a real id from the live API (e.g. \`zond prepare-fixtures --apply\`) ` +
|
|
147
|
-
`or set the corresponding fixture in ${input.envFilePath ?? ".env.yaml"}.`,
|
|
148
|
-
source: input.envFilePath,
|
|
149
|
-
});
|
|
150
|
-
}
|
|
151
|
-
}
|
|
152
|
-
|
|
153
|
-
fixes.push(...findUnfilledEnvKeys(input.envFilePath));
|
|
154
|
-
return fixes;
|
|
155
|
-
}
|